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Val Smith 

- Affiliations: 

• Attack Research 

• Metasploit 

- Work: 

• Attack Techniques Research 

• Pen Tester/ Exploit developer 

• Reverse Engineer 

• Malware Analyst 




Previous Talks 

- Exploiting malware & vm detection 

- Kernel mode de-obfuscation of malware 

- Data mining malware collections 

- Tactical Exploitation 

- Post Exploitation 

- Analysis of foreign web attacks 
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Bios 



Chris 




Chris is a Security Consultant and Researcher with Secure 
DNA. Chris specializes in web based application 
development security. He has collaborated with some of 
the top security researchers and companies in the world 
and has performed static and dynamic security 
assessments for numerous companies and government 
agencies across the U.S. and Asia. 
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What are we talking about? 

• Overview of: 

- White hat Methodologies 

- Black Hat Methodologies 

• Attackers VS. Defenders 

• Analysis of Black Hat techniques in the Wild 

• Black Hat Methodologies Demystified 

• How can this help you? 

• What can you do? 



Slide: 4 



Mil 11 




SECURE DMA 

LHLDIND ■ LOCKS DF aCCURKTV AH D DDMPLUNnE 







Overview of White Hat Methodologies 
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Overview of White Hat Methodologies 
• Goals 

- Focus on racking up numbers of hacked 
machines 

- Data to fill reports 

- Identifying mitigations 

• How to prevent the attack 

- Vulnerability footprint, not penetration 

• Often identifying accessible data is secondary 
goal 
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Overview of White Hat Methodologies 

• Goals 

- No downtime for the customer 

• DoS usually not allowed 

• Even if it facilitates access via reboot, etc. 

- No modifications 

• Typically can't change: 

- Customer source code 

- Databases 

- Testing the response and detection mechanisms 

• Did the IDS catch us? Did they do anything? 
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Overview of White Hat Methodologies 

• Information Gathering 

- Heavy focus on scans 

• Massive NMAPs / Nessus normal 

-Some overlap with Black Hat's 

• DNS / Domain lookup records 

• Google hacking 

• Personnel googling 

- Less concern for detection 
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Overview of White Hat Methodologies 

• Vulnerability Assessment 

-Almost always automated scanners 

• Detectable & fingerprintable 

-Often a guess at potential vulnerability 
- Focus on risk & threat analysis 

• Vulnerability Consequences 

- How does this hurt client business 

- Do they stand to lose money / customers? 

- How likely is attack to occur 
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Overview of White Hat Methodologies 

• Exploitation 

- Download and run exploits from milworm 

• Now defunct 

• How many pen test shops does this put out of 
business? 

- Securiteam & Security Focus 

- Core Impact / Canvas / Metasploit 

- Match up with nessus results 

- Usually no testing, run live against customer 
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Overview of White Hat Methodologies 

Data Collection 

-Screenshots 
-Sample documents 

• Just enough to prove access 

-No Analysis of attack paths 
-No prolonged infiltration 

• No long term sniffing / keylogging 
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Overview of Black Hat Methodologies 
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Overview of Black Hat Methodologies 
• Goals 

- Wide ranging 

- Data, not just access focused 

- Targeting specific trusts 

• People weakest link in trust chains 

- Semi-unrelated access that may provide 
stepping stone 

• 6 degrees of separation 

• Any box on any network 6 degrees away from true 
target 
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Overview of Black Hat Methodologies 

• Goals 

- Access to source 

• Let THEM do the hacking for you 

- They infect their own systems with backdoored updates 

• Source enables more assets 

- Example: 

• Target runs wordpress 

• Black Hat owns wordpress source server 

• Audit & Backdoor code 

• Surefire ownage of ultimate target in time 
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Overview of Black Hat Methodologies 

• Information Gathering 

-Nothing is off limits 

- If needed info resides on un- 
related box its still in scope 

-Social networking 

-Call up target and ask for info 

• Call targets friends, co workers, 
family 
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Overview of Black Hat Methodologies 

Vulnerability Assessment 

- Attacker's often know what's vulnerable ahead of 
time 

• No need for noisy scans 

- More efficient method than white hat's trial & 
error 

- Stolen source code 

• Trojaned 

• Audited for Odays 
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Overview of Black Hat Methodologies 

• Vulnerability Assessment 

-Non-traditional vulnerabilities 
-Example: 

• Software distro & licensing application 

• In house written by target 

• Installed on every computer 

• Runs with domain admin account privileges 

• Password changed every x min time interval 

- Accessible clear text in memory with debugger 

• Domain admin access to any machine for x minutes 




Slide: 17 



w ^ ■P^/'^B ^SECURE DNA 

1 mmu~ Mm \M Mm ^m*. ^^^T^^^ MMMMMMMMMMMMMMMmr A mMmmtMm ^MMmv ■uildiho ilqche oc itaumrr andddmitlmncc 

yy^Hi ii ... '.fi^M« 

Overview of Black Hat Methodologies 

• Exploitation 

- Days 

• Often only used when public bugs don't work 

• Avoid risking burning unpublished bug if possible 

- Usually interception from another box is better 

- Ex. Metasploit usually waits for Oday to become 
public before trunking 

- Wait till bug becomes 1day then blend in with 
worm traffic 
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Overview of Black Hat Methodologies 

• Data Targets 

- Mail spools 

- Backup files 

- Database dumps 

- Sniffer logs 

- Keystrokes and chat logs 

- Access tokens 

• Crypto keys, kerberos tickets, windows domain tokens 

- Targets of opportunity 

• Maybe data xyz is the goal but abc is found more valuable 
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Overview of Black Hat Methodologies 

• Data Theft 

- Client Injection / Exploitation 

• Vulnerable Client Applications 

- BSD IRC client exploit 

• Browsers 

- Grab sensitive data in browser POST 

» Before its SSL encrypted on screen keyboards = useless 

- Backdoors 

• Access Points 

• Services 

* Utilities 
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Attackers vs. Defenders 
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Attackers vs. 

• Defenders: 

- Limited resources 

- Limited time 

- Rules of engagement 

- Consequences based on 
performance 

• If a pen tester never gets in, 
they stop getting hired 

- Motivation 
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Defenders 



• Attackers: 




- Unlimited resources 

- Unlimited time 

- On a long enough timeline 
everything gets owned 

- If attacker targets you, odds 
of success increase over time 

- No consequences to not 
getting in 

- Little to no rules 

- Motivation 
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Attackers 



White Hats usually 
assigned limited 
block of IP 
addresses 

Unable to go 
beyond the scope 
of approved list 
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s. Defenders 

• Black Hats usually 
know one piece of 
information and 
have to expand 
from there 

- Domain Name 

- Email address 




Slide: 23 



w ^ ■P^/'^B ^SECURE DNA 

1 mmu~ Mm \M Mm .^m- ^^3^^^ MMMMMMMMMMMMMMMmr d mMmmtMm ^MmF ■uildiho ilqche oc itaumrr andddmitlmncc 

Attackers vs. Defenders 

• Black Hats need techniques for 
discovering target related IPs and client 
side info 

- News group mail header harvesting 

- Proxy log analysis site mining 

- Backscatter spam 

- Botsvsbrowsers 
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You know the 
target's domain 
name 

Look at the IP 
range 

Unlikely to be 
the target's 
operational 
LAN 
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File Edit View History Bookmarks Tools Help 



j^J | http://centralops.net/co/DomainDossier.aspx 



J homepage us l www.sina.co... K3I | gjjfl 202,108,3.82 - Do~| @)chinafiresecurity... | »*j Google Groups 



Address lookup 



canonical name iMVJVJUs.sina.com. 

aliases vjvjvj.sina.com 
us.sina.com.cn 

addresses 71.5.7.191 



Domain Whois record 

Queried vjhois.internic.net with "dom sina.com". .. 

Domain Name: SINiL.COM 

Registrar: NETWORK SOLUTIONS, LLC . 

Whois Server: whoi3.networksolutions.com 

Referral URL: http :/ /www . networksolut ions . com 

Name Server: NS1 . SINA. COH. CN 

Name Server: NS2 . SINA. COH. CN 

Name Server: NS3 . SINA. COH. CN 

Status: clientTransf erProhibited 

Updated Date: 2 6-jun-2006 

Creation Date: 16-sep-1998 

Expiration Date: 15-sep-2010 



»> Last update of whois database: Sat, 23 Hay 2009 18:57:42 UTC «< 
Queried vjhois.netvjorksolutions.com with "sina.com"... 

Registrant : 

SINA. COH TECHNOLOGY (CHINA) CO. ,LTD 
BEIJING IDEAL PLAZA, 20F NO. SB 
Northwest 4th Ring Road,Haidian 
beijing, CN 100080 
CN 



Domain Name: SINA. COH 



Promote your business to millions of viewers for only U a month 

Learn how you can get an Enhanced Business Listing here for your domain name. 

Learn more at http :/ /www . NetworltSolut ions . com/ 



Administrative Contact, Technical Contact: 

Xie, Guomin domainname@staff.sina.com.cn 

SINA. COH TECHNOLOGY (CHINA) CO., LTD 

BEIJING IDEAL PLAZA, 20F NO. 58 

Northwest 4th Ring Road,Haidian Slide* 25 

beijing, CN 100080 

CN 
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Searching newsgroup 
postings for the target 
domain yields an email 
bounce with headers 

Header shows the IP 
the email was sent 
from 

Likely to be the target 
LAN or a home IP of a 
user on the target LAN 
(vpn maybe?) 

Sometimes the 
headers in mailing list 
posts themselves have 
the same info 
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story Bookmarks lools Help 



X 1L [» 



http : //bbs . sf w . com . cn/redirect . php?tid=£Q3138sgoto=lastpost 



majordomo 



fl] www.sina.corn- P.. . 202.108.3.82 - Do... | -*| Ochinariresecurity... | -*| Google Groups | J$ fyMfoU U he it #lfj " 35^... | qj «E3 aiIiS'i\..|H [j 



di i^tt zuuy- i-ju n'.Z'l 




1 i# 
eESI 88 



4 



failure notice 

HffA : "MAILER-DAEMON" <MA[LER-QAEMON@mail.3l*-cd.C0m>l)nAHiil HsM JSTO H : 2009^1^ 9 B(MIJE) 

~F^22:33i|ftfl=>\ : "kakakerdf" <kakakerdf@sina.com> 

HSfRI, 

Hi. This is the qmail-send program at mail.sfw-cd.com. 

I'm afraid I wasn't able to deliver your message to the following addresses. 

This is a permanent error; I've given up. Sorry it didn't work out. 

<latssep@sfw-cd.corn>: 
maildrop: maildir over quota. 

— Below this line is a copy of the message. 

Return-Path: <kakakerdf@sina. corns 

Received: (qmail 13161 invoked by uid 898); 9 Jan 2009 14:33:17 -0000 

Received: from UluyHimriEEl by localhost.localdomain (envelope-from <kakakerdf@sina.com>, uid 889) with qmail- 
scanner-1 .25 
(clamdscan: 0.85.1/880. 
Clear:RC:0(202.108.3.82):. 

Processed in 0.240584 sees); 09 Jan 2009 14:33:17 -0000 

Received: from unknown (HELO mail3-82.sinamail.sina.com.cn) (202.108.3.82) 

by with SMTP; 9 Jan 2009 14:33:16 -0000 
Received: by mail3-82.sinamail.sina.com.cn (Postfix, from userid 99) 
id4A71660AC03; Fri, 9 Jan 2009 22:48:08 +0800 (CST) 
Received: from Sina WebMail (kakakerdf@sina.com|1 19.85.58.32) 
Received: from [1 19.85.58.32] by mail3-82.sinamail.sina.com.cn via HTTP; 
Fri, 09 Jan 2009 22:48:08 +0800 (CST) 
Date: Fri, 09 Jan 2009 22:48:08 +0800 
From: "=?GBK?B?18/wsA==?=" <kakakerdf@sina.com> 
To: =?GBK?B?t8mhpMbmu8PKwL3n1q7UwsH6w8U=?= <latssep@sfw-cd.com> 

Subject: =?GBK?B?ob7Ntrjlob/UwsH6w8WjusWjxqSjql_Hkx6bX1 rHkx6bX1 rHkx6bX1 rHkx6bX1 rHkx6bX1 qGtoa2jqQ==?= 
MIME-Version: 1 .0 
X- Priority: 3 

Disposition-Notification-To: kakakerdf@sina.com 
X-MessagelD: 1231512488.25.48550 
X-OriginalP: 202.108.3.82 



Slide: 26 



Check the IP the 
email came from 

Totally different 
network, in the 
target country 
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File Edit View History Bookmarks lools Help 


ft * C A i | 


| http://centralops.net/co/DomainDossier.aspx 


| \2\ homepage | £Q[J www.sina.com - D... | 


Hi 202.108.3.8... |QJ | »*f @chin- 



addresses 202.108.3.82 

Network Whois record 

Queried iMhois.apnic.net with "202.108.3.82"... 

inetnum: 202. 108.0.0 - 2 02 . 108 . 2 55 . 2 55 

netname: UNICOH-BJ 

descr: China Unicom Beijing province network 

descr: China Unicom 

country: CN 

admin-c: CH1302-AP 

tech-c: SY21-AP 

mnt-by: APMIC-HH 

mnt- lower: MAINT-CNCGROUP-BJ 

mnt-routes: HAINT-CNCGEOUP-RE 

changed: hm-changedG apnic . net 20031017 

status: ALLOCATED PORTABLE 

changed: hm-changed@apnic.net 20060124 

changed: hm-changed@apnic.net 20090507 

changed: hm-changed@apnic.net 20090508 

source: APNIC 

person: ChinaUnicom Hostmaster 

nic-hdl: CH1302-AP 

e-mail: abuse@chinaunicom.cn 

address: No . 2 1, J in- Pong Street 

address: Beij ing, 100140 

address: P.R.China 

phone: \M- +86-10-82993155 Q 

fax-no: +8 6- 10-82 993 144 

country: CN 

changed: abuse@chinaunicom.cn 20090408 

mnt-by: MAINT-CNCGROUP 

source: APNIC 



person: sun ymg 

address: fu xing men nei da j ie 97, Xicheng District 

address: Beijing 100800 

country: CN 

phone: \M- +86-10-66030657 H 

fax-no: +86-10-66078815 

e-mail: suny@publicf.bta.net.cn 

nic-hdl: SY2 1-AP 

mnt-by: I1AINT-CNCGROUP-BJ 

changed: suny6publicf.bta.net.cn 19980824 

changed: hm-changed@apnic.net 20060717 — 

source: APNIC 

-- end -- 

URL for this output | return to CentralOps.net, a service of Hexillion 
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Search for file 
types 
associated 
with mail 
boxes to 
gather client 
side 

information 
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File Edit View History Bookmarks lools Help 



- C X 



3 | http: //www. google. com/#hl=en&isaPe=offSq=Piletype%3Ambox&fp=We72S6o5B-s 



J ^ filetype:mboH - Google Search | | ^ http://wcp.sdP-eu.Qrg/jau.mbox 



(p http://czyborra.co. ..nicode/hc 



Web Images Video Maps News Shopping Gmail more 1 



Gougle 



|filetype:mbox 



Search 



Advanced Search 
Preferences 



Web Show options.. 



From stephan.jau@apandrews.com Sat Apr 26 17:38:24 2003 MBOX-Line ... 
From stephan.jau@arjandrews.com Sat Apr 26 17:38:24 2003 MBOX-Line: From stephan. 
jau@apandrews.com Sat Apr 26 01 :28:41 2003 Message-Id: ... 
www.pelissero.de/jau.mbos - 4k - Cached - Similar pages - ; 

From sunlcis. Ohio- state. edulfirearms-politics-reguest Fri May 12 ... fj 

From sunlcis. ohio-state. edulfirearms-politics-request Fri May 12 21:11:23 1989 Return-Path: 
<sun!cis.ohio-state.edu!firearms-politics-reqjest> Received: by ... 
rkba.org/media/fcc.mboj: - Similar pages - 



F i ■ ■hi .:iyl:..:.ri.:i.i>:i.:i-;. nl Tim ■:; ,14 ut , : , : , m i;. .„ g 

From czyborra@dds.ni Thu Apr 9 23:34:07 1998 Newsgroups: comp.os.linux. announce, 
comp.std.internat Date: Thu, 9 Apr 1998 23:33:54 +0200 From: Roman Ciyborra ... 
czyborra.com/unicode/howto.mbox - 6k - Cached - Similar pages - 1 =~ 

From kde-multimedia-ownertSikde.org Fri Mar 28 17:17:01 2008 Return ... FJ 

From kde-multimedia-owner@kde.org Fri Mar 28 17:17:01 2008 Return-Path: <kde-multimedia- 
bounces-+kde.org-kretz=kde.org@kde.org> Received: from localhost ... 
vir.homelinux.org/stupid_spamassassin.mbox - 10k - Cached - Similar pages - 

FAIL.mbox at 1 a92fbee527b79742d826c5eSca5ed4a239f8e44 from ... 

My combination map editor and map generator. Later iterations of the map editor will support 
remote viewing and things to assist GMs. 

github.com/jettero/grm/blob/1a92fbee527b79742d82Bc5e6ca5ed4a239f8e44/FAIL.mbox - 104k 
- Cached - Similar pages - <g> 

The domain is available for purchase - Sedo.com j_(x] 

Buy and sell domains and websites with Sedo.com. Over 13 million domains and websites are 
for sale in our marketplace! Sedo's services include domain ... 
lists.monadlug.org/pipermail/monadlug.mbox/monadlug.mbox - 31k - 
Cached - Similar pages - 

.mbox in ion @ SiteTag (__[__ 

No result match your query. mbox. Term of service | Privacy policy | Contact us | Blog |. © 
Copyright SiteTag.us 2009. All Right Reserved, 
sitetag.us/jon/. mbox - 6k - Cached - Similar pages - 



From giorqio.cecconi@tecrinorail.com Wed Nov 21 00:18:21 2001 

From giorgio.cecconi@technorail.com Wed Nov 21 00:18:21 2001 Return-Path: < 
giorgio.cecconi@technorail.com> Delivered-To: md@wonderland.linux.it Received: ... 
www.linux.it/~md/aruba.mbox - 27k - Cached - Similar pages - ~ 

From duncan@impede.net Tue May 13 11:55:10 2003 Return-Path _. 

From duncan@impede.net Tue May 13 11 :55:10 2003 Return-Path: <duncan@impede.net> 



[__[__-[ Translate this page ] 
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File Edit View History Bookmarks Tools Help 



C lEj J L) I http://wcp.sdf-eu.org/jau.rnbox 



From 3tephan.jsu0apandrews.com Sat Apr 2 6 17:38:24 2003 
MBOX-Line: From 3tephan.jau@apanclreus.com Sat Apr 26 01:28:41 2 003 
Message- Id: <5 .2 . Q . 9 .2 . 2 003 042 6102 62 3 . 02 5ce3b8@mail . spamcop . net> 
X-Sender : stephan. jau@apandrews . comGmail . protgp . com 



X-Hailer: QUALC0MM Windows Eudora Version 5.2.0.9 



In-Reply-To: <16040. 65254 . 766433 . 720746@hyde . home . loc> 
Hime-Version: 1.0 

Content-Type: text/plain; charset= rr us-ascii"; format=f lowed 

X-Spam-Status : No, hits=-4.9 required=5 . tests=IN_REP_TO, DEAR_S0MEB0DY version=2 . 20 
X-Spam-Leve 1 : 

From: Stephan Jau <stephan. jau@apandrews . com> 

To: pelissero AT tiscali DOT de 

Subject: Re: pelissero.org 

Date: Sat, 26 Apr 2003 10:28:38 +0200 



Dear Walter, 
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Botsvsbrowsers 
gives you by IP 
address client 
information 
such as 
browser and 
operating 
system 
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wsers Ip Directory Results for 119.0.0.0 to 119.255.255.255 - Mozilla Firefox 



iew History Bookmarks Tools Help 



e 



Q http://www.botsvsbrowsers.eom/ip/l 19. ?.?,?/index. html 



119.72.?.? 


119,73,?,? 


119,74,?,? 


119.75.?.? 


119.76.?.? 


119.77.?.? 


119,78,?,? 


119,79,?,? 


119.80.?.? 


119.81.?.? 


119,82,?,? 


119,83,?,? 


119.84.?.? 


119.85.?.? 


119.86.?.? 


119,87,?,? 


119,88,?,? 


119.89.?.? 


119.90.?.? 


119,91,?,? 


119,92,?,? 


119.93.?.? 


119.94.?.? 


119.95.?.? 


119,96,?,? 


119,97,?,? 


119.98.?.? 


119.99.?.? 


119,100,? 


? 


119,101,? 


? 


119,102,? 


? 


119.103.? 


? 


119.104.? 


? 


119,105,? 


? 


119,106,? 


? 


119.107.? 


? 


119.108.? 


? 


119.109.? 


? 


119,110,? 


? 


119,111,? 


? 


119.112.? 


? 


119.113.? 


? 


119,114,? 


? 


119,115,? 


? 


119.116.? 


? 


119.117.? 


? 


119.118.? 


? 


119,119,? 


? 


119,120,? 


? 


119.121.? 


? 


119.122.? 


? 


119,123,? 


? 


119,124,? 


? 


119.125.? 


? 


119.126.? 


? 


119.127.? 


? 


119,128,? 


? 


119,129,? 


? 


119.130.? 


? 



119.131.? 



119,63,194,99 a baiduspider+t+http:/7www,baidu,ip;'spidet7) 
119,63,194,108 a Baiduspider+f+http: //help, baidu,jp/sYstern/05, html) 
119,63,194,108 a Baiduspider+(+http://www, baidu.jp/spider/) 
119.63.194.110 B Baiduspider+f+http: //help. baidu.jp/sYstern/05. html) 
119.63.194.110 Fa Baiduspider+(+http://www. baidu.jp/spider/) 
119,63.194,125 a Baiduspider+C+http: //help, baidu,jp/svstem/05, html) 
119,65,15,87 a Goodlebot/2,1 f+http://www, dooglebot.com/bot, html) 
119,0.124.27 J? Qpera/7,50 (Windows XP; U) 

119.0.175.185 Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 5.1) 

119.1.116.141 J> Mozilla/4.0 (compatible: MSIE 6.0: Windows NT 5.1: SV1) 

119.1.208.204 J? Mozilla/4.0 (compatible: MSIE 7.0: Windows NT 5.1) 

119,1.245.85 J> Mozilla/4.0 (compatible: MSIE 6,0: Windows NT 5,1; SV1: 

Mozilla/4,0 (compatible; MSIE 6,0; Windows NT 5,1; SV1) ; 360SE) 

119,2,41,60 J> Mozilla/4,0 (compatible: MSIE 6,0: Windows NT 5,1: SV1) 

119,2,41,70 J? Mozilla/4,0 (compatible: MSIE 6,0: Windows NT 5,1: SV1) 



119,2,48,52 J? Mozilla/4,0 (compatible: MSIE 6,0; Windows NT 5,1; 
119.2.58.133 J> Mozilla/4.0 (compatible: MSIE 6.0; Windows 98) 



SV1) 



119.3.20.119 



119.3.20.193 



119.3.27.198 



119.3.67.223 



J> Mozilla/5.0 (Windows: U: Windows NT 5.1: zh-CN: rv:1.8.1.14) 
Gecko/20080404 Firefox/2.0.0,14 

J> Mozilla/5.0 (Windows: U: Windows NT 5.1: zh-CN: rv:1.8.1.14) 
Gecko/20080404 Firefox/2.0.0,14 

J> Mozilla/4.0 (compatible: MSIE 6.0: Windows NT 5.1: SV1: GTB5: 
Mozilla/4,0 (compatible: MSIE 6.0: Windows NT 5,1: SV1) : CIBA) 

Mozilla/4.0 (compatible: MSIE 6.0: Windows NT 5.1: SV1: 
InfoPath.2: .NET CLR 2.0,50727: .NET CLR 3.0.04506.648: .NET 
CLR 3.5.21022: MAXTHON 2.0) 



119.4.1.226 gt Mozilla/4.0 (compatible: MSIE 6.0: Windows NT 5.1: SV1: SU 
3.011: .NET CLR 2.0.50727) 

119,4.6.247 Mozilla/5.0 (Windows: U: Windows NT 5.1: zh-CN: rv:l,9,0,7) 

Gecko/2009021910 Firefox/3.0.7 
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SECURE DNA 



Some sites have 
exposed squid 
proxy log 
analysis pages 

In this view you 
can see some 
hostnames and 
internal IP 
addresses 



MySQL Squid Access Report 2.1.4 

[ Home | Administration ] 
[ <<< Back to "Daily Summary" | Refresh this page ] 



Hosts and Users Summary for a Specific Day 



<< < Friday, 17 August 2007 > >> 

[ Go to today ] 



[ Sites Summary for a Specific Day ] 



[ Set this view as the default 1 


El HOST IS 


IH USERNAME IS Si SITES IS B^i^j 1 ^, 5 !™ 


H CACHE PERCENT IS 


o.O 


21 4927. 30K 


0% 


Marcio Amarop 


12 1390. 24K 


0% 


Teste 


31 2427. 74K 


0% 


TOTALS 3 


1 58 8745.28K 





Latest user activity 


HOST IP 


USERNAME TIME 


BYTES URL 




STATUS 


10.78.32.4 


- 11:45:33 


494 http://www.google-analytics.conn/ utm.gif? TCP_ 


_MISS/200 


10. 78. 32.4 


- 11:45:33 


362 http://www.friv.corn/site/fishtales ,swf 


TCP. 


_IMS_HIT/3Q4 


10.78.32.4 


- 11:45:33 


355 http : //w w w .f ri v . co rn/s ite/f i s hta 1 e s . html 


TCP. 


_IMS_HIT/304 


10.78.32.4 


- 11:45:33 


360 http://www,friv,com/site/leftborder,swf 


TCP. 


_IMS_HIT/304 


10.78.32.4 


- 11:45:25 


355 http ://www, friv.com/site/zeropage, html 


TCP. 


_IMS_HIT/304 


10.78.32.4 


- 11:45:25 


355 http : //w w w ,f ri v , co rn/s ite/sta rt . htm 1 


TCP. 


_IMS_HIT/304 


10.78.32.4 


- 11:45:25 


356 http : //w ww .friv .co m/s ite/s wf o bje ct .j s 


TCP. 


_IMS_HIT/304 


10.78.32.4 


- 11:45:25 


309 http://tl.extreme-dm.eom/i.gif 


TCP. 


_IMS_HIT/304 


10.78.32.4 


- 11:45:25 


364 http://el.extreme-dm.com/slO ,g? 


TCP. 


.MISS/304 


10.78.32.4 


- 11:45:25 


355 http://www.friv.com/ 


TCP. 


_IMS_HIT/304 



Current active users: 




2 


Current date and time is: 


23 


05-2009 05:48:29 


Last processed record: 


17 


08-2007 11:45:33 


Number of records processed at last import: 




778 


Last clean-up of the database was done at: 




17-08-2007 



MySQL Squid Access Report 2.1.4 (c) 2004-2005 by Giannis Stoilis 
Licenced under the GNU General Public Licence. 
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This view 
shows 
userlDs 
and traffic 
quantities 




Squid Analysis Report Generatoi 



Squid User Access Reports 

Period; 2009May22-2009May22 



Sort: BYTES, reverse 



Topuser 



Topsites 
Sites 8. Users 
Downloads 

Authentication Failures 



NUM 


1 


USERID 


CONNECT | 


BYTES 


MBYTES | 


IN-CACHE-OUT | 


ELAPSED TIME| 


MILISEC 


«*iTIME 


1 


lll% 


adminhotel 


13.09K 


247 .35M 


31.30% 


0.80% 


99.20% 


11:24:34 


41,074,091 


27.35% 


2 


lll% 


hlippova 


8.95K 


156 .79M 


15 .34% 


5.32% 


94.68% 


09:03:55 


32,635,941 


21.73% 


3 


lll% 


pogar 


3.22K 


153 .&&M 


13.44% 


0.36% 


99.64% 


01:02:34 


3,754,743 


2.50% 


4 


lll% 


stereotip 


9.27K 


80.17M 


10.14% 


2.05% 


97.95% 


00:52:35 


3,155,360 


2.10% 


5 


lll% 


market 


4.23K 


51.09M 


6.46% 


20.71% 


79.29% 


07:59:40 


28,780,901 


19.17% 


& 


lll% 


anton 


&.95K 


50.&1M 


6.40% 


0.68% 


99.32% 


00:41:18 


2,478,322 


1.65% 


7 


lll&fe 


urist 


864 


33.93M 


429% 


1.11% 


98.89% 


00:08:42 


522,727 


0.35% 


S 


lll% 


buhgalter2 


3.0&K 


1&.27M 


2.06% 


4.08% 


95.92% 


00:56:00 


3,360,785 


2.24% 


9 


lll% 


alexv 


12 


462 .50K 


0.06% 


0.00% 


100.00% 


09:33:21 


34,401,929 


22.91% 




TOTAL 


49.67K 


790.37M 




3.10«*i 


96.90«*i 


41:42:44 


150,164,799 




AVERAGE 


5.5 IK 


87.8 1M 






04:38:04 


16,684,977 



Generated by sarg-2.2.5 Mar-03-2008 on May/23/2009 06:40 
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arks Tools Help 





[3 I http://icicle,icegroup,ru/squtd-reports/Daily/2009May22-2009May22jfpogar/pogar.html 



_j http://ww.w-. ...teuser.html Q http://www.z... /index. html J http: //icicle... 2/index. html 



J http://www...2007MaylG7 



□ htt 



This view shows 
addresses a 
particular user is 
browsing to 





ACCESSED SITE 


CONNECT 


BYTES 


%BVTES| IN-CACHE-OUT 


ELAPSED TIME 


MILISEC 


*£faTIME 




% 


155 21S.1S2.30 


1 


77.71M 


50.58% 


0.00% 


100.00% 


00 


09:54 


594,599 


15.34% 


% 


1S521S.1S1.1S7 


7 


57.93M 


37.74% 


0.00% 


100.00% 


00 


0321 


501,331 


13.37% 


Efe 


07 .clip03b .video .yandex .net 


2 


222M 


1.45% 


0.00% 


100.00% 


00 


00:17 


17,191 


0.46% 


% 


www.kprf.org 


655 


2.07M 


1.35% 


4.99% 


95.01% 


00 


02:44 


164,252 


4.37% 


% 


mail.google.com 


151 


1.13M 


0.74% 


0.00% 


100.00% 


00 


16:02 


962,646 


25.64% 


% 


www.calend.ru 


204 


1.0 1M 


0.66% 


0.00% 


100.00% 


00 


00:47 


47,026 


1.25% 


% 


92241,132235 


34 


S72.99K 


0,57% 


0,00% 


100,00% 


00 


00:10 


10,559 


0,23% 


% 


onlinetrax.ru 


33 


529 .33K 


0.34% 


0.09% 


99.91% 


00 


00:22 


22,467 


0.60% 


% 


gallery.krugozor.ru 


36 


423 24K 


0.28% 


0.00% 


100.00% 


00 


00:08 


3,320 


0.22% 


% 


forum . alls ochi .info 


104 


418 .75K 


027% 


0.00% 


100.00% 
100.00% 
100.00% 


00 


00:31 


31,372 


0.84% 


% 


ajai.ltizer.com 


20 


336.93K 


0.25% 


0.00% 


00 


00:10 


10,654 


0.23% 


% 


www.yandex.ru 


IE 


363 27K 


0.24% 


0.00% 


00 


00:05 


5,632 


0.15% 


% 


video.yandex.ru 


23 


352 .30K 


0.23% 


0.00% 


100.00% 


00 


00:06 


6,345 


0.17% 


% 


1S5 213.1S2.1S 


1 


345 .7SK 


0.23% 


0.00% 


100.00% 


00 


00:02 


2,741 


0.07% 


% 


sl4.ucoz.net 


11 


310 29K 


0.20% 


0.00% 


100.00% 


00 


30:04 


4,703 


0.13% 


% 


newtrax.ru 


10 


30S.91K 


0.20% 


0.00% 


100.00% 
100.00% 
100.00% 


00 


00:10 


10,148 


0.27% 


Efe 


ip.kommynist.ru 


73 


303.95K 


020% 


0.00% 


00 


00:27 


27,345 


0.73% 


% 


monument.ucoz.ru 


7 


298 .OIK 


0.19% 


0.00% 


00 


00:03 


3,610 


0.23% 


% 


ww w .sherlock-holmes .co .uk 


19 


2S0. UK 


0.18% 


0.00% 


100.00% 


00 


00:10 


10,273 


0.27% 


% 


l-stat. livejoumal.com 


14 


256 .83K 


0.17% 


0.00% 


100.00% 


00 


00:04 


4,547 


0.12% 


% 


gadgets.stemo.ru 


23 


248 .72K 


0.16% 


0.00% 


100.00% 


00 


00:07 


7,577 


0.20% 


% 


yabs.yandex.ru 


43 


243. 93 K 


0.16% 


23.28% 


76.72% 


00 


00:06 


6,205 


0.17% 


1% 


static .cache .1 .google .com 


22 


216 .37K 


0.14% 


0.00% 


100.00% 
100,00% 
78.12% 


00 


00:07 


7,010 


0.19% 


% 


news .samaratoday ,ru 


7 


210.37K 


0,14% 


0,00% 


00 


00:04 


4,662 


0,12% 


% 


www.cprf.info 


24 


202 .74K 


0.13% 


21.88% 


00 


00:12 


12,591 


0.34% 


% 


ngbn.net 


14 


197 .93K 


0.13% 


0.00% 


100.00% 


00 


00:06 


6,933 


0.13% 


Efe 


www.anekdot.ru 


31 


139 .50K 


0.12% 


0.00% 


100.00% 


00 


00:10 


10,574 


0.23% 


% 


slovari.yandex.ru 


10 


171.35K 


0.11% 


0.00% 


100.00% 


00 


00:04| 4,936 


0.13% 


% 


www.google.com 


55 


15S.19K 


0.10% 


0.00% 


100.00% 


00 


00:23 1 23,372 


0.62% 


Efe 


src.ucoz.ru 


35 


156 .08K 


0.10% 


0.00% 


100.00% 


00 


00:09 1 9,175 


0.24% 


% 


87. 242 .91. 21 


4 


155 22K 


0.10% 


0.00% 


100.00% 
100.00% 
100.00% 


00 


00:02 


2,493 


0.07% 


% 


www.3milliona.net 


16 


144.03K 


0.09% 


0.00% 


00 


00:06 


6,674 


0.13% 


% 


flv.video.yandex.ru 


17 


136 .76K 


0.09% 


0.00% 


00 


00:02 


2,727 


0.07% 


% 


days.pravoslavie.ru 


13 


129.06K 


0,0S% 


0,00% 


100,00% 


00 


00:03 


3,437 


0,23% 


% 


gorodok .samaratoday .ru 


9 


125 .03K 


0.08% 


3.71% 


96.29% 


00 


00:07 


7,637 


0.20% 


% 


autocontext .begun .ru 


6 


123 .S1K 


0.0S% 


34.75% 
0.00% 


15.25% 
100.00% 


00 


00:00 


924 


0.02% 


Efe 


top9.mail.ru 


91 


113.E2K 


0.03% 


00 


00:03 


3,069 


0.21% 


Efe 


kommynist.ru 


26 


11S.19K 


0.08% 


0.46% 


99.54% 


00 


00:35 


35,196 


0.94% 


% 


img.yandex.net 


44 


117.74K 


0.08% 


21.85% 


78.15% 


00 


00:05 


5,052 


0.13% 


% 


api-maps. yandex.ru 


4 


106 .54K 


0.07% 


66 .28% 


33.72% 


00 


00:00 


424 


0.01% 




nbimg >dtO0 .net 






0.07% 


0.00% 


100.00% 


00 


00:05 


5,633 






video-tub.yandex.ru 


22 


105 .06K 


0.07% 


0.00% 


100.00% 
100.00% 
100,00% 
100.00% 
100.00% 


00 


00:04 


4,486 


0.12% 




nova.rambler.ru 


22 


101.31K 


0.07% 


0.00% 


00 


00:04 


4,394 


0.13% 




counter.rambler.ru 


37 


97.64K 


0,06% 


0,00% 


00 


00:11 


11,423 


0,30% 




www.google.tu 


25 


96.59K 


0.06% 


0.00% 


00 


00:09 


9,914 


0.26% 




counter.yadro.ru 


126 


90.19K 


0.06% 


0.00% 


00 


00:13 


13,534 


0.36% 




yandex.ru 


19 


76.26K 


0.05% 


0.92% 


99.08% 


00 


00:14 


14,356 


0.33% 




www.lexico.tu 


19 


72.12K 


0.05% 


0.00% 


100.00% 


00 


00:03 


3,399 


0.10% 




37 .242 .SI. 22 


6 


66.72K 


0.04% 


0.00% 
15.88% 


100.00% 
34.12% 
100.00% 


00 


00:01 


1,597 


0.04% 




suggest, yandex .mj 


112 


66.12K 


0.04% 


00 


00:24 


24,471 


0.65% 




blogs.yandex.ru 


27 


65.74K 


0.04% 


0.00% 


00 


00:03 


3,377 


0.09% 


% 


page2tss.ru 


3 


63.71K 


0.04% 


2.94% 


97.06% 


00 


00:03 


3,293 


0.22% 
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ory Bookmarks lools Help 



X m I □ I http://. 



www.iipl.fudan.edu.cn/squid-reports/2007MaylO-2007MaylO/ 



inurhs 



J http://ww... user, html 


J http://ww...dex,html 


J http://ici... index, html 


□ http:/...aylO/ W 





Squid Analysis Report Generator 



Squid User Access Report 

Period; 2QQ7M ay 1 0-2007M ay 1 Q 



Sort: BVTES, reverse 



Topuser Report 



Top sites Report 
Sites & Users Report 
Downloads Report 
Denied Report 



NUM | 


USERID 


connect| 


BVTES 


%BYTES 


IN-CACHE-OUT | 


ELAPSED TIMeI 


MILISEC 


%time| 


1 


10.20.2.5 


34.14K| 


1.77G| 


94.69%| 


0.00%| 


98,41%| 


00i00;00| 


o| 


0.00%| 


2 | 


10.20.2.210 


3.63k| 


47.00M| 


2.51%| 


0.00%| 


99.96%| 


00i00;00| 


o| 


0.00%| 


3 | 


10.20,2.205 


1,71K| 


19,56M| 


i.04%| 


0,00%| 


98,95%| 


00i00;00| 





0,00%| 


4 | 


10.20,2.235 


1,54K| 


8,27M| 


0,44%| 


0,00%| 


99,18%| 


00i00;00| 


o| 


0,00%| 


5 I 1 


10.20.2.197 


1.05k| 


7.25M| 


0.39%| 


0.00%| 


98.25%| 


00i00;00| 


o| 


0.00%| 


b | 


10.130.102.43 | 


847| 


6.00m| 


0.32%| 


0.00%| 


97.4 I %| 


00i00;00| 


o| 


0.00%| 


?| | 


10.85,72,201 


800| 


4,84M| 


Q,26%| 


0,00%| 


92,56%| 


00i00;00| 





0,00%| 


s| | 


10.20,2.200 


404| 


3,45M| 


0,18%| 


0,00%| 


77,44%| 


00i00;00| 


o| 


0,00%| 


s| | 


10.20.2.80 


31S| 


2.33M| 


0.12%| 


0.00%| 


93.77%| 


00i00;00| 


o| 


0.00%| 


10 | 


10.20.2.16 


45| 


318.31K| 


0.02%| 


0.00%| 


79.45%| 


00i00;00| 


o| 


0.00%| 


11 


10.64,130,23 


se\ 


133,24k| 


0,01%| 


0,00%| 


0,00%| 


00i00;00| 





0,00%| 


iz| | 


10.100,101.10l| 


165| 


1 1 . 1 4K| 


0,01%| 


0,00%| 


94,48%| 


00i00;00| 


o| 


0,00%| 


13| | 


10.20.2.2 


11 


66.75k| 


0.00%| 


0.00%| 


Q,00%| 


00i00;00| 


o| 


0.00%| 




TOTAL 




1.87G 




0.00% | 


08.38% | 


00:00:00 









AVERAGE 


3.44k| 


144.00M 








00:00:00 








Generated by sarg-2,1 Nov-29-2005 on May/10/2007 21:46 
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narks Tools Help 







J http:J..,x,html I J http:/...aylOj~| J http:/...0,html |~J http: / .. .5, html |" 



Shows what 
Antivirus 
program the 
target is 
running and 
how often they 
update 



Squid Analysis Report Generator 



Squid User Access Report 

aSOEIfli 2009Apr02-200SApr04 



Si!-!: 192.168.102.145 



i'OOIOOEOIxAII: BYTES, reverse 



dn 


-eulO.kasp ersky-labs.com 04/02/2 009| 1 4 


40:32 
40:33 


dn 


-eulO.kasp ersky-labs.com 04/02/2 009| 1 4 


dn 


-eulO.kasp ersky-labs.com 04/02/2 9| 1 4 


40:37| 


dn 


-eul O.kaspersky-labs.com 04/02/2 9| 1 4 


40:39 


dn 


-euiO.kaspersky-labs.com 4/0 2/2 ?| 14 


40:4 l| 


dn 


-e u 1 Oikaspersky-labs.com 04/02/2 9| 14 


40: 42| 


dn 


-eul O.kaspersky-labs.com 04/02/2 9| 1 4 


40:50| 


dn 


-eul O.kaspersky-labs.com 04/02/2 9| 1 4 


40:5 l| 


dn 


-eul O.kaspersky-labs.com 04/02/2 9| 1 4 


40:52| 


dn 


-eul O.kaspersky-labs.com 04/02/2 9| 1 4 


40:53 


dn 


-eu 1 O.kaspers ky-labs.com 04/02/2 9| 14 


40:54 


dn 


-eulO.kaspersky-labs.com 04/02/2009 14 


40:55 
40:53 


dn 


-eulO.kaspersky-labs.com 04/02/2009 14 


dn 
dn 
dn 


-eulO.kaspersky-labs.com 4/0 2/2 009 14 


41 :02| 


-eulO.kaspersky-labs.com 04/02/2009| 1 4 


41 :03| 


-eu 1 O.kaspersky-labs.com|04/02/2009| 14 


41:04| 


dn 


- eu 1 O.kaspersky-labs.com 04/02/2 9| 15 


1 0: 29| 


dn 


-eul O.kaspersky-labs.com 04/02/2 009| 1 5 


1 0:30| 


dn 


-eul O.kaspersky-labs.com 04/02/2 9| 1 5 


1 0:35| 


dn 


-eul O.kaspersky-labs.com 04/02/2 9| 1 5 


1 0:36| 


dn 


-eul O.kaspersky-labs.com 04/02/2 9| 1 5 


1D.39J 


dn 


-eu 1 O.kaspersky-labs.com|04/02/2009| 15 


10:4l| 


dn 


-eu 1 O.kaspersky-labs.com 04/02/2 9| 15 


1 0: 44| 


dn 


-eul O.kaspersky-labs.com 04/02/2 009| 1 5 


1 0:46| 


dn 


-eul O.kaspersky-labs.com 04/02/2 009| 1 5 


1 0:55| 


dn 


-eul O.kaspersky-labs.com 04/0 2/2 009| 1 5 


1 0:56| 


dn 


-eul O.kas persky -la bs.coml 04/02/2 00 9| 1 5 


1 0:58 


dn 


-eul0.kaspersky-labs.com|04/02/2009| 15 


10:59| 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


1 l:Ol| 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


1 1:02| 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


1 1:04| 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


1 1:05| 


dn 


-eu 1 O.kas persky -la bs.com| 04/0 2/2 00 9| 15 


11:07] 


dn 


-eu 1 O.kas persky -la bs.com| 04/0 2/2 00 9| 15 


1 1:0S| 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


1 1 : 1 0| 


dn 
dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2 00 9| 15 


1 1 : 1 6| 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


1 1 : 1 9| 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


1 1:23| 


dn 


-eu 1 O.kas persky -la bs.com| 04/0 2/2 00 9| 15 


1 1:25| 


dn 


-eu 1 O.kas persky -la bs.com| 04/0 2/2 00 9| 15 


1 1:27| 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


1 1:2*1 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


36:05 
36:06 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


36: 10| 


dn 


-eul0.kaspersky-labs.com|04/02/2009| 15 


36: 12| 


dn 


-eul0.kaspersky-labs.com|04/02/2009| 15 


36: 13| 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


36: 15| 


dn 


-eu 1 O.kas persky -la bs.coml 04/0 2/2009| 15 


36: 16| 
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1 File Edit View History Bookmark Tools Help 


" C X tiLf | | http://mail.sunlogisUcsTu/squid-reports/2008Febll-2008Febll/downloac *Cj ' 


| [G] ' | lid-reports + update j- ! 


r 


. 4- | http html | Q http:/...aylO/ | Q http:/. ..0. html | J http:/...5.htrnl | inurl:squid-r ... | inurl:squid-r... | J 


404 Not Fou... | J htt...tml|£Jj | 



Shows that 
target is 
running 
Microsoft 
windows and 
gives hints as 
to what 
updates are 
being 

installed as 
well as 
frequency of 
update 



£^fyjfw$(j} St ' u ' c ' Ana lv s i s Report Generator 



Squid User Access Report 

Period: 2008Febll-2C08Febll I 
Downloads I 



| IP/NAME 



| date/time 



192,168,100,ll| 192, 168, 100, 111 02/11/2008-16:59:221 



02/11/2008-16:59:31 



02/11/2008-17:02:141 



02/11/2008-17:02:141 



02/11/2008-17:04:391 



02/11/2008-17:04:391 



02/ll/2008-17:05:10| 



02/11/2008-17:05:111 



02/11/2008-17:06:061 



02/11/2008-17:06:071 



192,168,100,121 192, 168, 100,121 02/11/2008-10: 25: 0l| 



02/11/2008-11:58:551 



02/ll/2008-12:35:4l| 



02/ll/2008-12:38:37| 



02/11/2008-14:01:071 



02/11/2008-14:01:071 



02/11/2008-14:08:531 



02/11/2008-14:35:29 



02/ll/2008-14:36:19| 



02/11/2008-14:36:191 



02/11/2008-14:54:181 



02/11/2008-14:55:431 



02/11/2008-15:04:291 



02/11/2008-15:09:231 



02/11/2008-15:10:031 



02/ll/2008-15:10:19| 



02/11/2008-15:13:101 



02/11/2008-15:13:401 



02/11/2008-15:16:071 



02/11/2008-15:16:071 



ACCESSED SITE 



http://rapidshare.co rn/fi les/88054450/RusExtrawin, epidern.ru , parti , rar 



http://rsl69.rapidshare ,conn/files/88054450/RusExtrawin,_epid ern,ru _, parti .rar 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



http 



02/11/2008-15:19:03 



02/11/2008-15:19:03 



02/11/2008-15:25:51 



//activex. micro s oft . co m/o b j e cts/ ocqet.dll 



//codecs , m icrosoft, co rn/i sap i/o eg et.d II 



//acti vex, microsoft, corn/objects/ocget.dll 



//codecs ,m i cro s oft . co rn/i s a p i /ocqet,dll 



//activex, micro s oft . co m/o b j e cts/ ocqet.dll 



//codecs . m i cro s oft . co rn/i s api /ocqet.dll 



//acti vex. micro soft.com/obiects/ ocqet.dll 



//codecs, microsoft, co rn/i sapi/o eg et.d II 



//u2 3, eset.com/nod upd/expire,rar 



//fa vicon.yandex.net/fav icon/www. specserver.com 



//f a v i co n . y a n d e x . n et'f a v i co n Ay w w . m I p ru s s i a . co rn 



//favicon.yandex.net''favicon/www.bse .sci-lib .com 



/ /f a vico n, y and ex. net'f a vicon/b eetran s.co m 



//favicon, yande x . n et'f a v i co n/w w w . s it-tr ans, com 



//favicon. yandex .net/fa v i co n/tra nz itua.com 



//fa vicon.yandex.net/favicon/www.imperial-vin .com 



//fa vicon.yandex.net/fav icon/forum. mobile -re view, com 



//fay icon . y a n d e x . n et/f a v i co n/rn o b i I e m a n d a ri n l co rn 



//f a vicon. y and e x. net/f a v icon/sky pe.com 



//d o w nload.skype.com/SkypeSetup.exe 



//favicon. yande x . n et/f a v i co n/w w w . I ets rn oto.com 



//www, vitaero.com/do w n I o a d/s e tup.exe 



//w ww.vitaero.com/download/setup.exe 



//www .vitaero.com/do wnload/se tup.exe 



//favicon. y andex.net/favi con /forum. ixbt.com 



//rapidsha re . d e/f i I e s/3 2 5 1 8 7 2 7/W i d comm Driver v5. 1.0.1700 Final. rar 



//favicon. ya ndex.net/favicon/foru m.ru-board.com 



http://favicon.y a n d e x . n et'f a v i co n/f o ru m 2 . nn o b i I e - re v i ew.com 



http://www .download .windowsupdate .com/msdownload/W BRB/ software 
/df It/2008/01/972139 54cc24dd5d4632957c3b212c712eab09b0126b0e.cab 



http://www .download .windowsupdate .com/msdownload/upd ate/software 
/df It/2008/01/976459 4e3abcc92cc4ce63f9bd2c3dle2d34S3ba3cl379 .cab 



http ://nguest84. depositees .com/auth- 

61202732212_77.108.82.100-ld60fab7-5213357-guest/2850880/FS84-l 
/BTW 5103300rar.rar 



02/11/2008-16:48:25 



02/11/2008-16:48:281 



02/11/2008-16:48:281 



02/11/2008-16:51:231 



02/11/2008-16:51:231 



02/ll/2008-17:17:10| 



02/11/2008-17:18:191 



02/11/2008-17:22:44 



http : //fa v i co n . y a n d e x . n et'f a v i co n/w w w . i x bt . co m 



http://favicon.yandex.n eVf a v icon/all o . k u I i chki.com 



http://favicon.yaridex.net/favicon/www.n-admin.com 



http://f a vic on, yandex.net/favicon/pdaf orum.ladosh ki.com 



http://favicon.yandex.ri et'f a v i co n/w w w . v i ru s I i st . co rn 



http : //f a v i co n . y a n d e x . n et/f a v i co n/w w w . p g p ru . co m 



http : //fa vicon. yandex. n et'f a v i co n/lib. web-malina .com 



http ://f a vicon. y and ex. net'f a v icon/support. miicrosoft.com 
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Analysis of Black Hat Techniques in the Wild 
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• How White Hats get 
assigned Targets: 

- "Only touch xyz 
hosts, don't touch 
abc, those are 
production" 

- "Hosts 1 23 we 
already know are 
vulnerable, don't 
worry about those" 




SECURE DNA 
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ling 



• How Black Hats 
Choose Targets: 

- Source code devs 

- Pen testers 

- Researchers 

- Maintain Control 

- May not yield access 
immediately 



Slide: 38 



w ^ ■P^/'^B JtSECURE DNA 

~ J^B JH ^^^^^^ J^^^^^^HF 4 ^^■■Mllll ■ ■ "ind blocks cr ■tcuairr ddmpliandc 

kS^I i_I_JL Ji ■ 4 to t m X m^^^^^ -WHO — 

Analysis of Black Hat Techniques in the Wild 

• Environment Modeling & Testing 

- White hats test attacks against clients 

- We have seen whole environments mirrored 

- Base mock up on info gathering 

• Match OS, hardware, patch levels, applications 

• Virtualization up to real hardware 

• Exploit Development 

- Black Hats write them 

- White Hats use them 
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Analysis of Black Hat Techniques in the Wild 

• Flexible Environment Testing 

- Can do vulnerability assessment at leisure 

• Code auditing 

- Double win: Oday + Ownage 

• Fuzzing 

• Reverse Engineering / Binary Analysis 

- Exploit testing without alerting target 

- One case was 18 months of staging 

• Less than 1 minute of exploitation 

• 5 minutes of data stealing 
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Analysis of Black Hat Techniques in the Wild 

• Examples 

- Attack on Apache.org 

- Attack on Debian.org 

- Attack on Wordpress.com 

- Attack on Comcast.net 

- Attack on Linux Distro 

- Attack on Bank 
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Analysis of Black Hat Techniques in the Wild 

• Apache.org 

- Attackers used no exploits. Instead they relied 
on configuration errors 

- Used a combination of small bugs leveraged 
against the system to gain 

- Administrative access to the main source 
repository 

- Patiently waited for root to login. 

- Defaced 
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Analysis of Black Hat Techniques in the Wild 

• Debian.org ^ 

debian 

- Attackers used no exploits. 

- SSH Authkey misuse on a system in Japan and 
a system in the Netherlands 

- Allowed access to the administrative account on 
debian.org 

- SSHD backdoored and core debian OS source 
backdoored 

- Was unknown for 6 months 
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Analysis of Black Hat Techniques in the Wild 

• Wordpress.com ® 

-Attackers used zero day vulnerability 

-Backdoored Live web application 

-Accessed chief source code 
repository 

-Backdoored source code 

-Was quickly noticed and fixed 
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Analysis of Black Hat Techniques in the Wild 

(comcast. 

• Comcast.net 

-Attackers used no exploits 

-Attackers Social Engineered Network 
Solutions into granting them access to 
Comcast's account 

-Attackers redirected comcast.net domain 
name to attacker controlled servers 

- Defaced 
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Analysis of Black Hat Techniques in the Wild 

• Major Linux Distro 

-Heard of attacker getting in over 
months 

-Subtlety backdoored distro 

• Introduced bug 

-Matched md5s 

-Able to own any system for 6 months 
-Distro NOT the ultimate target 
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Analysis of Black Hat Techniques in the Wild 
• Hackme Bank 

- Found devel host on separate network 

- Attackers used custom vuln in co-located website 

- Read many files via directory traversal 

• Solaris treats directories like files 

- So you can do cat dir/ and get an Is 

- Discovered copy of every transaction goes over 
email 

- Copied mail spool via targets own website 

-$$$$ 
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Analysis of Black Hat Techniques in the Wild 
• Air Gap 

- Difficult to hack network w/ smart admins 

- Attackers did recon, read target procedure docs 

• Two networks 

- One online, heavily monitored 

- One offline exact copy cold backup 

- One tape drive machine for copying back and forth 

- Compromised tape system (nothing else vuln) 

• Found Oday in unix TAR 

• Generated a malicious TAR file header 

• Payload wrote malicious binaries into archive 
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Analysis of Black Hat Techniques in the Wild 
• Air Gap 

- Exploit had to reload TAR and start untarring from an 
offset pointing to valid archive 

• Execution continuation 

- Admins eventually moved trojaned backups to "cold" side 

- Attacker made loud (but ineffective) attacks on "hot" side 

- Admins assumed compromise and restored "hot" side 
from cold backups 

• Thus trojaning their own systems and giving attacker access 
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Analysis of Black Hat Techniques in the Wild 
• Banking backbone 

- Attacker stumbled upon system while doing x25 scans 

- Old ftp / ftp uname & password trick worked for a shell 

- Attacker poked around system and noticed financial 
transactions 

• LARGE amounts of money 

• Grabbed docs and logged out 

- Turn out to be major banking transaction system 

• All transactions encrypted, but banks would ftp transaction logs to 
server and store them clear text for balance reconciling 

- By coincidence attacker met system owner in real life 

- Caused no damage, but spent a year hiding 
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Analysis of Black Hat Techniques in the Wild 
• University 

- Attacker compromised system at major university 

- Forensics discovered the compromise 

- Attacker used a kernel rootkit years before common 

• Investigators assumed nation state sponsored attack 

• It wasn't 

• Rootkit removed 

- Attacker spent 6-8 months designing a bios rootkit 

- Re-compromised system and went undetected with new 
technique 

- Illustrates persistence of some attackers 
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Black Hat Techniques De-Mystified 

• Few exploits used in attacks 

-Often only 1 exploit needed 

- Rest is captured passwords 
-Trust hijacking 

- Using compromised user's access 

• Datacenter / SSH example 

• authorized_keys infection 
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Black Hat Techniques De-Mystified 
• Few exploits used in attacks 

- Looking like a normal user is hard to detect 

• No shellcode / payloads for IDS to see 

• Traffic looks like normal user activity 

- Oday is priceless 

• Often used when 1day 

- Greater knowledge of system internals is key 

- Attackers know your playbook 

• Blackhats don't do what pen testers do 

• (Unless they want to look like you) 
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Black Hat Techniques De-Mystified 
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Problems attackers run into 

- Secure Data Exfiltration 

- Dangerous Data 

• Mail spools full of viruses 

• Smart targets, documents with attribution call homes 

• Trojaned TAR files 

- Built to overwrite home directories 

- Burn data to CD 

- Read offline on throw away box 

• Avoids above problems 
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Black Hat Techniques De-Mystified 
• Problems attackers run into 

- Retrieving GB's over Tor 

- Download managers not just for warez 

- Scripted Tor wget's 

- POST'S instead of GETs 

- Obfuscates logs 

- How to get reverse shells back without 
attribution? 

- Leaking info during attack (emails / chats) 
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Black Hat Techniques De-Mystified 

• Maintaining Control 

- Data Interception is priority number one. 

• Let the victims do the hacking for you 

-Why use rootkits 

• Detectable 

• Kernel behavior almost always indicates Ownage 

- Better to ensure re-exploitation at will 

- Hide in plain site / look like normal activity 
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Black Hat Techniques De-Mystified 

• Maintaining Control 

- Introduce subtle bugs instead of backdoor binaries 

- Modify source to be vulnerable 

• Harder to detect than blatant backdoor 

- Downgrade applications to vuln versions 

- Re-enable disabled accounts 

- Keep admins & incident response second guessing 

• Flood box with worms & malware if you don't get in 

• Hide in the noise 
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Black Hat Techniques De-Mystified 

• Maintaining Control 

- Example: 

- Machine has VNC installed 

- Replace installed VNC with vulnerable version 

• Authentication bypass 

- Copy registry password so target doesn't realize 
software has been updated 

- Persistence with no malware or rootkits to get 
detected 
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• Maintaining Control 

-Add vulnerable code 
- Example: web apps 

• Take out user input validation 

• Inject your vulnerable code 

- Focus on vague intent 

- Never be obviously and solely malicious 

• Look for apps with previous vulnerabilities 

• Re-introduce patched bugs 
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Maintaining Control 

- More web app examples 

- Add hidden field to HTML form 

• Users detect no change, app performs normally 
<input type="hidden" name="Lang"> 

- Edit web app and tie vuln perl code to form 
field input 

If defined $hidden_field { 

open($filename,">$hidden_field"); 

} 

- Craft a POST including the hidden field 
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• Maintaining Control 

- Code will execute your commands 

- Who needs to bind a shell to a port? 

- Unlikely to ever be detected 

• Especially good in big apps 

• Code review can't ever be sure of maliciousness 

• But some sites replace code every X time-period 

- No rootkits to install 

- Unusual to tripwire all web code 
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Black Hat Techniques De-Mystified 
• Other Attackers 

- Find them on the target 

- Full intrusion analysis 

- Understand what they have done and what they 
are after 

• Maybe a box you didn't think was important actually is 

- Model your behavior after them 

- Make your activity look like they did it 

- Find and patch the hole they used to get in 

• Kick them out 
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Black Hat Techniques De-Mystified 

• Other Attackers 

- Example 

• One case found another attacker on same box 

• Had modified login script 

• Exclude logins from attack host from logging 

• Added self as well to same script 
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Black Hat Techniques De-Mystified 

Protecting Bugs 

- Example 

• Attacker had Oday for commonly used service 

• Rumors circulated 

• Attacker had a colleague leak a different, less 
reliable but related bug 

• Removed focus from attacker and real bug 

- CMD Exec survived another 4 years 
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Black Hat Techniques De-Mystified 

• Anonymity 

- Hijack wifi 

- Look for default configured u/p WAPs 

- Modify DMZ to get reverse shells 
back 

- Find web shells on boxes other 
people hacked 

• Use them as launch pads 

• You didn't even have to hack them 
yourself 




Slide: 66 



nil I J ' El i »l IRE DNA 

1 Ifl? ImWKU \M B -^tak- ^^9^^^ ■"■^■^■^■^■r A HMM|I ^■E^ building bloc kg or ■touniTr andoqmplundc 

Black Hat Techniques De-Mystified 

• Anonymity 

-Tor 

• Hide in the Tor noise 

• Porn, warez & hacking 

• Do all recon possible in Tor or similar 

• Change IP's (Identities) often 

• Use 3rd party web based port scanners 

• Hit target and web tools only from Tor 
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Black Hat Techniques De-Mystified 
• Anonymity 

- Tor C&C 

• See Metaphish Talk 

• 100% True SSL encrypted 

• Cross platform 

- Mono 

- Linux & Windows with same binary 

• Communicates using Tor hidden services 

• Even if target: 

- Reverses backdoor 

- Has 100% packet capture 

- They cannot trace it back to source 
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Black Hat Techniques De-Mystified 
• Anonymity 

- Covert communications 

- Attackers use strange covert communications 

- Example 

• Edonkey p2p with crypto enabled appears to simply be SSL traffic 

• Some attackers known to use this for file transfer and 
communications 

• In one case TCP over edonkey 

- Have seen attackers using twitter, gmail and msn 
messenger for command and control of compromised 
systems 
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Never Caught 
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Never Caught 

• Anti-forensics & Law Enforcement 

- Cell phone alibi 

• Place phone in desired location away from attack 

• Have call made to phone 

• Have phone answered 

- Accomplices bring complications 

• Auto answer programs for smart phones 

• When phone records are pulled: 

• Location + call record "prove" your location 

- Buy a movie ticket & leave movie early 

- Whole field of study: Alibiware 
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Never Caught 



Anti-forensics & Law Enforcement 

- Reset every timestamp on system to same date 

• Timestomp 

- Encase exploits 




- Memory only & staged C&C 

• Just enough code to receive next chunk from network 

• True SSL 

• Need full packet capture + break SSL to get C&C 
analysis 

• No real malware on disk to RE 
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Never Caught 

• Data protection & destruction 

- Attackers have to protect their data from other 
attackers and law enforcement 

• Some attackers encrypt all data with complex key 

• One group of attackers built a drive "chipper" 

• 1 V2 horse power motor from a metal router 

• Metal router blades 

• Result a giant bin full of no bigger than V2 inch square 
drive parts 

• Good luck getting forensic data 
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What does all this mean? 
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What does 



- Attackers are determined 

• They will not stop 

- Attackers are extremely 
patient 

- Only have to succeed once 

- Understand how an attacker 
thinks 

- Know your Enemy 

- Test everything 

• Small bugs yield Big bugs 
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this mean? 



• Black Hats are not all powerful 

• They just know more tricks 

• Many pen testers are providing 
unrealistic tests 

• Full scope best value 
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What does all this mean? 



• What can you do? 

- Proper Training 

- Investigate Reports 

- Identify Targets 

- Predict Attackers 

- Proactive Defense is best 

- Defense is not System Administration 

- Properly Mitigate Risk 

- Learn from other peoples mistakes 

- Open Discussion 
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